Information Security Fundamentals Quiz

Questions and Answers

What is the primary purpose of encryption in information security?

• To protect the confidentiality of information (correct)
• To ensure data availability
• To enhance data transmission speed
• To maintain data integrity

Which of the following best describes the concept of information integrity?

• Keeping data accessible at all times
• Establishing user authentication policies
• Ensuring information remains unaltered and authentic (correct)
• Preventing unauthorized disclosure of information

What is a common risk associated with the use of USB-connected devices?

• Improving system performance
• Facilitating user access control
• Enhancing data redundancy
• Introducing malware to secure systems (correct)

Which of the following measures is essential for protecting confidential information?

Application of general security policies (D)

Which type of information is considered proprietary and requires special protection?

Commercial trade secrets (C)

What is a key guideline when using photocopiers to protect personal data?

Securely disposing of all copied materials (A)

Which of the following is NOT a way to ensure the protection of personal data?

Using plain text passwords (B)

In the context of the CIA triad, what aspect is directly impacted by unauthorized access to information?

Confidentiality (A)

What is a fundamental principle of protecting tangible assets that applies to information assets as well?

Protection in depth (D)

Which approach is critical for achieving information security?

Layered approach (C)

Which type of information is often poorly protected yet vital to organisations?

Intellectual property (C)

What method is NOT typically used by adversaries to obtain sensitive data?

Password sharing (C)

Which of the following best describes proprietary information?

Trade secrets that provide a competitive edge (A)

What is a significant risk posed by USB-connected devices?

Potential for malware transmission (C)

Which of the following is a best practice for protecting personal data?

Regularly updating software (D)

What type of information is often targeted by thieves for exploitation?

Sensitive financial data (D)

What is a major risk identified in the practices of employees related to USB drives?

Not notifying the organization if a USB drive containing confidential data is lost. (C)

Which of the following statements best reflects Chris Davy CB's view on employee integrity in information security?

It is inadequate and poses a risk to information security. (B)

Which practice is considered a risky behavior regarding password security?

Sharing passwords with colleagues. (D)

What is recommended regarding the use of personally-owned mobile devices in an organization?

They should never connect to the organization's network. (C)

What is a common misconception about password use among employees?

Reusing the same password across multiple sites is safe. (B)

What should be avoided when working on a laptop while traveling?

Carrying sensitive information. (B)

What describes an effective approach to protecting sensitive information during photocopying?

Always use organizational equipment for photocopying. (C)

Which of the following contributes to the creation of new vulnerabilities in information systems?

Engaging in risky online behavior. (D)

Flashcards

Information Security Reliance on Employees

The security of information relies heavily on the trustworthiness and responsible actions of employees.

Reckless Information Protection

A careless attitude towards information protection, leading to potential breaches.

Insecure Wireless Network

Connecting to the internet through a network that doesn't provide adequate security measures.

Not Deleting Unnecessary Information

Failing to erase data from a computer when it's no longer needed, leaving it vulnerable to unauthorized access.

Password Sharing

Sharing passwords with others, increasing the risk of unauthorized access.

Reusing Passwords

Using the same password and username for multiple accounts, compromising security if one account is breached.

Unsecured USB Drives

Using USB drives that are not encrypted or protected, making the data vulnerable.

Leaving Computers Unattended

Leaving a computer unattended in a public place, making it susceptible to theft or unauthorized access.

Crown Jewels of an Organization

Knowledge, know-how, and information that is considered highly valuable and strategic to an organization.

Intellectual Property (IP)

Refers to the intangible assets, such as knowledge, skills, and information, that are crucial for a company's success.

Layered Approach to Information Security

A multi-layered strategy for protecting information assets by implementing multiple security measures at various levels.

Methods of Information Theft

The specific methods and techniques used by attackers to gain unauthorized access to sensitive information.

Hostile Interception

The act of intentionally and deliberately trying to steal sensitive information from an organization.

Inadvertent Disclosure

The unintentional or accidental disclosure of sensitive information, often due to negligence or lack of awareness.

Information Risk Assessment

The process of assessing potential threats and vulnerabilities to information assets, helping organizations identify potential risks and implement security measures.

Information Security

A comprehensive set of policies, procedures, and technologies designed to protect information assets from unauthorized access, use, disclosure, disruption, modification, or destruction.

Confidentiality

The characteristic whereby only those with authorized access can view sensitive information. This ensures that unauthorized individuals or systems cannot gain access.

Breach of Confidentiality

Unauthorized access to information that should be kept private, which could be caused by misrouting, inadequate protection, or malicious software.

Integrity

Maintaining the accuracy and completeness of information, ensuring it remains unchanged without authorization. This prevents corruption, damage, or unauthorized alterations.

Breach of Integrity

Unauthorized alteration or modification of information, which could be caused by malicious attacks, accidental changes, or system errors.

Availability

The guarantee that information is accessible and usable when needed by authorized users. This includes reliability, availability, and timely access.

Breach of Availability

Unauthorized interruption or blocking of access to essential information, which could be caused by attacks, system failures, or natural disasters.

CIA Triad

A framework that helps organizations understand and manage information security risks. It is based on the three pillars of Confidentiality, Integrity, and Availability (CIA).

Study Notes

Part I - The Challenges

• Information and intellectual capital are more valuable to a company than physical assets
• Most organizations believe their information systems are secure, but this is not the reality
• Information security needs a layered approach to protecting many different forms of information
• Threats to information involve various forms including theft, solicitation, and hostile interception,
• Espionage by foreign governments happens on a large scale to gain economic advantage; this involves front companies, joint ventures, or suppliers to the target.
• Government-level espionage isn't limited to traditional adversaries
• Industrial espionage happens between various countries and companies
• Companies and employees can steal information, leading to many risks to organizations

Competitive Intelligence

• Espionage is often confused with competitive intelligence (CI)
• CI examines the strengths and weaknesses of competitors
• It is challenging to draw a clear line between legitimate CI and illegally acquiring intellectual property.

Cyber Sabotage

• Denying access to data is damaging to organizations, and in some cases, more so than theft
• 46% of UK companies surveyed experienced a cyber security breach in 2017
• Temporary loss of network/file access and corrupted systems are the most common outcomes of cyberattacks
• The WannaCry ransomware attack encrypted machines and demanded ransom from over 230,000 computers.

The CIA triad

• Confidentiality, Integrity, and Availability (CIA) are fundamental to information security
• Confidentiality: Restricted access to information for only authorized personnel and with need for the information
• Integrity: Guaranteeing that information isn't altered, modified or manipulated in unauthorised ways
• Availability: Ensuring the continued, uninterrupted accessibility of information to authorized users.

The Threat Tempo

• The threat tempo is increasing due to the rapid evolution of technology
• New technologies and cyberattack methods rapidly increase
• The security industry must constantly adapt to these new challenges.

Specific Idiosyncrasies of Information as an Asset

• Information can take various forms, from spoken word to computer data
• Intangible information is hard to effectively protect
• Difficulty in accounting for all information assets.

The Information Lifecycle

• Information takes different forms throughout its lifecycle
• Information can be converted from handwriting to digital formats and stored in various ways
• Many parties may access and share information, raising concerns for security

The Adversaries

• Outsiders, malicious insiders, inadvertent disclosure, and collusion with outsiders are all types of adversaries, although these categories may be too simplistic to capture the full adversary landscape
• Employees: Staff are frequently the target of espionage attempts
• Competitors: Companies spy on one another using many methods
• Business Partners: Businesses often trust their partners, creating an opportunity for threats arising from their employees
• Foreign Governments: Foreign governments frequently target competitor companies for economic espionage, often targeting employees.
• Journalists: News organizations and journalists can pose threats when sensitive information is leaked in pursuit of their stories.
• Activists: Individuals opposed to certain entities are a potential source of threats, especially those active in cyberspace
• Criminals: Criminals may want the data for identity theft or other criminal enterprises

Insider Threat

• Insiders are particularly risky and pose a difficult threat to mitigate.
• Employees, former employees, contractors and business partners can be malicious insiders
• The loss or modification of information by an insider can have a large impact on organizations
• A common motivation for insider threats is the intent to support competitors or outside entities when moving to a new job opportunity
• The risk of insider threats is amplified due to current business requirements for mobility and remote technology support

Basic Protection Principles

• Basic protection principles can be summarized with TRAPP: Technology, Response, Awareness, Procedures and Programmes, Physical security
• Information classification can help people determine what information is sensitive
• Some information systems are more important to organizations than others
• Procedures and programming strategies are important elements of protecting information and systems
• The effectiveness of many security measures depends on a strong company culture

Operational Security (OpSec)

• OpSec protects non-sensitive information that can still reveal an organization's operations, capabilities intentions, and goals;
• OpSec can include basic measures such as clear desk policies, limiting who has access to certain information,
• Careful physical security of equipment and personnel is important
• OpSec is crucial in managing risks to employees who are overseas, especially when they have access to sensitive information.

Incident Response and Investigations

• The risk of an information breach can never be fully eliminated
• It can be mitigated if a well-designed incident response plan is in place to identify, respond to, and follow up on an incident effectively
• The ideal response plan should include roles and responsibilities, risk assessment analysis, procedures for reporting incidents, plans for handling different scenarios, and scheduled training and exercises for improving response skills.